Facebook Bows to Canada's Privacy Demands

Facebook has capitulated under pressure brought by Canadian privacy regulators, agreeing to substantially revamp its policies regarding the use of members' information. The changes will be implemented universally, possibly with the hope of fending off more stringent demands from Europe or Australia -- or perhaps just to keep things simple for third-party app developers.

By Erika Morphy
08/27/09 12:50 PM PT

Facebook will be overhauling its privacy policy following an investigation by the
Office of the Privacy Commissioner of Canada, which concluded that the social networking site's policies posed significant risks. The changes will affect Facebook's entire global user base.

The investigation was originally prompted by a complaint from a privacy advocacy group, the
Canadian Internet Policy and Public Interest Clinic at the University of Ottawa. The Commissioner's office investigated the matter and found several areas of concern.

Facebook addressed many of the issues at that point. However, the Canadian Commissioner remained concerned about the "over-sharing" of personal information with third-party developers of Facebook apps such as games and quizzes, as well as other matters. Facebook appears to have succeeded, the second time around, at satisfying these specific concerns.

Global Politics

"This morning, I am very pleased to be able to tell you that -- following further discussions with Facebook -- the company has now agreed to make several changes which address the issues uncovered during our investigation," Jennifer Stoddart, Privacy Commissioner of Canada, said at a press conference announcing the agreement.

The Commissioner's office was unable to return a call to TechNewsWorld in time for publication.

The changes put Facebook on the path to compliance with Canada's privacy laws, Stoddert went on to say, noting that they will benefit Facebook's entire network of 200 million users worldwide -- not just Canadians.

Facebook was unable to return a call to TechNewsWorld in time for publication.

"Privacy law is much narrower in the United States than in Europe, for example," Conley told TechNewsWorld.

Canada is between the two, tilting towards Europe's comprehensive approach to privacy, he noted, adding that U.S. privacy laws and policies are oriented toward ID theft and medical disclosure.

"The presumption is that in the United States, a company can do just about anything it wants aside from these two areas," said Conley.

Indeed, Facebook could have addressed the matter by simply adopting and implementing a privacy policy specific to Canadian Facebook users, David Wong, an attorney with
Barnes & Thornburg, told TechNewsWorld. "It is not uncommon for online service providers to [set] different policies in different countries in order to comply with the differences in various national laws."

Why, then, has Facebook decided to extend the newly negotiated privacy changes to its worldwide constituency? A hint to the answer can be found in Canadian Privacy Commissioner Stoddert's comment that Canada is the first county to have completed a comprehensive investigation into Facebook's privacy policies. European regulators and the Australian Office of the Privacy Commissioner are looking at them as well.

"This investigation has clearly struck a chord worldwide," Stoddert said. "We've received many calls and emails thanking us for taking on these issues -- not only from Canadians, but from people as far as France and India."

Some of the changes that Canada has negotiated will require significant technological adjustments on the part of third-party developers, which may also have played a role in the decision to roll out the new policies globally.

The changes could have an even wider impact than the Commissioner envisions.

"Facebook's new policy may cause Internet users in the U.S. to expect a higher level of protection from other social media space providers," said Barnes & Thornburg's Wong.

Common Complaints

Some of the changes Facebook will be making over the course of the year address familiar complaints: namely, that its privacy policy is opaque and that users have little control over what it does with their information. For instance, application developers have had virtually unrestricted access to Facebook users' personal information, Stoddert noted.

The new policy, though, should go far in alleviating these concerns. Facebook will be introducing ways for users to control what personal information third-party developers can access. In general, the changes are designed to help users better understand how their personal information will be used and, ultimately, to make more-informed decisions about how to share that information.

Specifically, according to the Commissioner's office, Facebook has agreed to do the following:

Retrofit its application platform in a way that will prevent any application from accessing information until it obtains express consent for each category of personal information. Users adding an application will be advised that the application wants access to specific categories of information. They will be able to control which categories of information an application is permitted to access. There will also be a link to a statement by the developer to explain how it will use the data.

Make it clear to users that they have the option of either deactivating their account or deleting their account, a distinction that will be explained in Facebook's privacy policy. Under the current policy, when users want to close their accounts, the information still remains live in Facebook's own databases. That will change when an account is deleted under the new policy.

In the long run, the changes should bolster Facebook's standing among users.

"Privacy policies for social networking sites generally work when affirmative notice, such as described here, is given to the account holder," said Renee F. Bergmann, an attorney with
Thorp Reed & Armstrong.

"In the past, Facebook has attempted to make stealth changes to its privacy policy," she told TechNewsWorld. For example, Facebook quietly changed its policy seeming to indicate it had ownership of the content and photos of the account holder's individual pages, without affirmative notice to the account holder. These stealth changes have generally not been well regarded in the Facebook community."

Social networking sites can run into problems when they are not sufficiently clear about their policies or try to walk too close to the line separating what is permissible from what is not, said Jacqueline Klosek, an attorney with
Goodwin Procter.

"This can lead to confusion and complaints among users of the sites, and, ultimately, even lawsuits," she told TechNewsWorld. "For example, Facebook came under fire for sharing information about users' video rentals when a user alleged that she was not aware that the site would be sharing this information."

Still, Facebook provides a very high level of user control, Klosek went on to say. "Users are able to determine whether they wish to make the whole profile public or to share it with only certain people."

Also, users can decide who is permitted to view certain content, such as photos or posts.

More Users

The changes are particularly significant as Facebook is making deeper inroads into the commercial world. Many businesses have a Facebook page for customers' use.

Business groups also have taken to using Facebook to interact with each other, Tony Roth, CEO of Celect.org, told TechNewsWorld.

"There are particular privacy concerns for organizations or professional groups using Facebook --especially with FacebookConnect," he said.

"Currently, it is all about giving the user total control of the permissions granted, without a lot of gatekeeping from the Web site per se. For example, let's say I am an alumnus at the University of Illinois serving on a committee for a capital campaign for a new stadium. If I use FacebookConnect as a social party line to communicate with my committee members, how do I know that data will remain private? As I log in and out, and add my friends and/or fellow committee members, how can I be sure that the data we share back and forth will remain proprietary to the 'user' or organization?"

The information eventually ends up being culled, segmented and used for marketing purposes by Facebook, suggested Roth.